[Tfug] Multiple distros for security?
Jesse Allen
jesse.carl at gmail.com
Thu Jan 22 22:17:04 MST 2009
Based on running CentOS and Ubuntu simultaneously on servers at my old
job, the overhead involved is not worth it to run multiple distros in a
production environment. The software being out of sync can make a huge
impact on work flow. CentOS was something like 30 bug fixes behind
Ubuntu Server for MySQL when we started moving servers; the code that
worked on CentOS did not work on Ubuntu (I didn't write it, just try to
fix it). Also, if there is a vulnerability in some software package, it
may need to be fixed in all the distros, and that would take just that
much more time. I'm sure you've already thought through all this, but my
2 cents is that I think there are other ways to increase security for
far less cost. It just doesn't sound like a smart business decision.
- Jesse
Matt Jacob wrote:
> Hi everybody,
>
> An issue came up at work recently while discussing the architecture
> for a new DNS server deployment. It was suggested that using different
> distros (Debian, FreeBSD, and probably CentOS) across each DNS server
> would provide greater security in the event of a 0-day exploit against
> a particular distro. While I don't disagree with that thinking, an
> obvious con is that maintenance will take longer, software versions
> will be out of sync, and admins will be forced to manage systems
> they're not comfortable with.
>
> The question, then, is whether there is enough merit in distro
> diversification to outweigh the added complexity and management time.
> My feeling is that proven distros such as Debian, CentOS, Fedora,
> SUSE, etc. are secure enough to stand on their own, and I think we've
> seen this verified in the wild. However, I can't forget about the
> Debain OpenSSL vulnerability not so long ago that seems to disprove my
> theory. On the other hand, attacks against a particular piece of
> software would apply to any system (Apache, MySQL, PowerDNS, etc.).
>
> Alright, enough of me thinking out loud. Spark some discussion and try
> to convince me one way or the other.
>
> Thanks!
>
> Matt
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
More information about the tfug
mailing list